The Financial Industry Regulatory Authority (FINRA) fined Osaic Wealth (formerly Royal Alliance Associates) and Securities America (formerly Securities America)。

From January 2021 to March 2023, both Osaic Wealth and Securities America failed to establish and maintain properly designed regulatory systems, including written regulatory procedures (WSPs), to protect customer records and information.。

Between January 2021 and March 2023, Osaic Wealth and Securities America each relied on enterprise-class cybersecurity programs offered by their parent companies; however, until March 2023, each company's WSP allowed independent affiliates to develop their own security and data loss prevention controls.。

Neither Osaic Wealth nor Securities America had a requirement until March 2023, so many branches lacked data loss prevention controls such as multi-factor verification of all email accounts, encryption of outgoing emails containing customers "non-public personal information, and maintenance of email access logs.。

Prior to the relevant period, Osaic Wealth and Securities America had learned from FINRA inspections that their affiliates lacked reasonable cybersecurity controls.。In addition, during the relevant period, each company experienced multiple cyber intrusions, many of which involved email takeovers, which could have been prevented through multi-factor authentication, etc.。

These intrusions allow unauthorized third parties to obtain non-public personal information about customers, including social security numbers, dates of birth, bank account numbers, and driver's license information.。Specifically

• Osaic Wealth suffered 16 cyber intrusions that led to the disclosure of non-public personal information of some 28,000 customers.。
• Securities America experienced eight cyber intrusions that resulted in the disclosure of non-public personal information of at least 4,640 customers.。

Following each intrusion incident, Osaic Wealth and Securities America followed their Cyber Security Incident Response Policy, engaging external cyber security consultants to assist in incident response, and notifying affected customers as well as FINRA。

However, as of March 2023, Osaic Wealth and Securities America did not strengthen the minimum cybersecurity requirements for their branches, nor did individual branches of the two companies strengthen controls throughout the relevant period, such as requiring multi-factor authentication.。In addition, the two companies did not implement a company-wide procedure requiring that customers' non-public personal information be encrypted when emails are sent.。

As of March 2023, each company requires multi-factor authentication for all email accounts used to conduct its business and has oversight procedures in place to monitor compliance with the multi-factor authentication policy。

Osaic Wealth and Securities America have violated the Safeguards Rules and FINRA Rules 3110 and 2010 by failing to establish and maintain a properly designed surveillance system (including WSP) to protect customer records and information。

Osaic Wealth has agreed to a reprimand and a $150,000 fine, Securities America agreed to the same penalty.。